Mongoose虚拟填充,什么是mongoose#trustedSymbol?

klsxnrf1  于 2022-11-13  发布在  Go
关注(0)|答案(1)|浏览(146)

This are my schemas:
user.js

'use strict'

const { models, model, Schema } = require('mongoose')

const schema = new Schema(
    {
        name: {
            type: String,
            required: true,
        },
    },
    {
        timestamps: true,
        discriminatorKey: 'type',
    }
)

schema.virtual('posts', {
    ref: 'Post',
    localField: '_id',
    foreignField: 'user',
})

module.exports = models.User|| model('User', schema)

post.js

'use strict'

const { models, model, Schema } = require('mongoose')

const schema = new Schema(
    {
        text: {
            type: String,
            required: true,
        },
        user: {
            type: Schema.Types.ObjectId,
            ref: 'User',
            required: true,
        },
    },
    {
        timestamps: true,
        discriminatorKey: 'type',
    }
)

module.exports = models.Post|| model('Post', schema)

And the Query:

const user = await UserModel.findById(req.params.id).populate('posts')

I don't know what i doing wrong, but populate is not returning anything
I turn on my mongoose debug flag to check what is the query for virtual populate and see that on my terminal:

Mongoose: users.findOne({ _id: new ObjectId("6182fce8c339b6f51c933eee") }, { projection: {} })
Mongoose: posts.find({ user: { '$in': [ new ObjectId("6182fce8c339b6f51c933eee") ], [Symbol(mongoose#trustedSymbol)]: true }}, { skip: 0, limit: 10, perDocumentLimit: undefined, projection: {} })

I do the query manually again

const posts = await PostModel.find({credential: { $in: [Types.ObjectId(req.params.id)]}})

and return data :/
and terminal print:

Mongoose: posts.find({ user: { '$in': [ new ObjectId("6182fce8c339b6f51c933eee") ] } }, { projection: {} })
rdlzhqv9

rdlzhqv91#

至于回答“mongoose#trustedSymbol”是什么意思的问题,我参考了以下文章,以获得针对查询选择器注入净化输入的更多深度:
Defending Against Query Selector Injection Attacks
What's New in Mongoose 6: The 'sanitizeFilter' Option
简而言之,mongoose.trusted()函数可用于实现对查询中以“$”开头的符号的信任,该查询将解析为[Symbol(mongoose#trustedSymbol)]: true

相关问题